Problem with shipping configuration (auditbeat)

farciarz121 · May 22, 2021, 4:11pm

I have implemented ELK on a single node with basic security (win server 2016).
Elastic search, logstash and kibana are working fine. Now I want to start shipping some data and setting up dashboards. I have win 10 machine with auditbeat 7.12.1 configured as followed:

setup.dashboards.enabled
setup.kibana
host: "<ip address to my ELK:5601"
username: "kibana_system"
password: "kibanapwd"

output.logstash
host: "<ip address of to my ELK:5044"
username: "logstash_system"
password: "logstash_system"

I know that windows 10 and ELK can talk to each other bc I am able to ping ELK from win10.
However, when I run command ".\auditbeat.exe -e" I get following response:

"No connection could be made because target machine actively refuse it.. Response: . "

Now, I may be confused with couple of things.

Should I send beats to logstash or elastic search
Users kibana_system and logstash_system are default users that I created passwords for with elasticsearch interactive mode. Should I use/create different users?
Maybe one of these (Built-in roles | Elasticsearch Guide [7.9] | Elastic) ?
Sync I implemented basic security between nodes, do I also need to create certificates for every auditbeat host? Do I also need to updated auditbeat.yml files with configuration for it? (I thought this was only for HTTPS traffic which i have not set up yet).

As always, thank you for support

mtojek · May 24, 2021, 7:55am

Would you mind formatting the configuration using ``?

I think you try to find the root cause by temporarily switching to direct write to Elasticsearch. If it works fine you put the logstash in the middle.

farciarz121 · May 24, 2021, 1:30pm

so i finally fixed Kibana and elastic. Elastic has https and ssl communication between elastic and kibana works.

Next step is logstash which I can't figure out ...

I get following error, please advise

[2021-05-24T12:41:05,632][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2021-05-24T12:41:05,938][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction:
:Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [A-Za-z0-9_-], [ \\t\\r
\\n], \"#\", \"{\", [A-Za-z0-9_] at line 12, column 14 (byte 152) after output {\n  elasticsearch {\n  ssl => ture\n  ss
l_certificate_verification => true\n  cacert => C", :backtrace=>["C:/Program Files/logstash/logstash/logstash-core/lib/l
ogstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'",
"org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'", "C:/Program Files/logstash/logstash/logstash-core/
lib/logstash/java_pipeline.rb:47:in `initialize'", "C:/Program Files/logstash/logstash/logstash-core/lib/logstash/pipeli
ne_action/create.rb:52:in `execute'", "C:/Program Files/logstash/logstash/logstash-core/lib/logstash/agent.rb:389:in `bl
ock in converge_state'"]}
[2021-05-24T12:41:06,071][INFO ][logstash.runner          ] Logstash shut down.
[2021-05-24T12:41:06,086][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit
) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.13.0.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.13.0.jar:?]
        at C_3a_.Program_20_Files.logstash.logstash.lib.bootstrap.environment.<main>(C:\Program Files\logstash\logstash\
lib\bootstrap\environment.rb:89) ~[?:?]
PS C:\Program Files\logstash\logstash>

system · June 21, 2021, 5:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.